Travel companies need to “significantly” increase spend on up-to-date technology and “do the basics” to protect themselves from cyberattacks.
This could mean investing 1%-5% of operating revenue on technology, according to experts from CRIBB Cyber Security. The current average for travel companies is less than 1%.
In the second part of anti-fraud group Profit’s Secure Our Systems (SOS) campaign, backed by Travel Weekly, experts stressed the need for travel businesses to recognise the value of investing in up-to-date computer systems and having a security framework that meets minimum government standards.
The government-backed Cyber Essentials guidance ensures companies have the basics in place to protect against cybercrime but could also result in lower potential fines under GDPR and improve business efficiency as a whole, stressed Conor Byrne, managing director, CRIBB Cyber Security, which assesses and advises operators and agents on cybersecurity and is a member of Profit.
He said: “It’s not just about cyberattacks; good information governance is critical. Most tour operators which go through this process clear all the chaff out of their database and their conversion rates go up because they are no longer spending time contacting people who do not want to book with them.”
Cyber Essentials consists of five key elements: secure configuration; firewalls; access control; patch management (keeping systems up to date) and malware protection (anti-virus and anti-spam technology)
Secure configuration relates to having “reasonably modern” technology that uses best practice to ensure computers are not vulnerable to attacks.
Byrne said many travel companies invest far less on technology than companies in other sectors such as finance and healthcare, which allocate 5%-8% of turnover.
He said: “Travel businesses need to up their spend; in our experience total IT spend needs to be at least 5% of operational turnover.
“People need to put a value on the technology in their businesses. Often they are paying more in rent than on IT.”
All companies also need firewalls to stop attacks from external hackers and should ensure proper controls to stop all staff accessing all information by scrapping ‘generic’ log ins for individual passwords, for example.
Only authorised staff should have access to certain information through separate “administration” passwords.
“There is no accountability with generic logins,” said Byrne. “If someone is fired from a business they have access to the system and could give it to someone else.”
Patch management means keeping computer systems up to date with the latest software as it is released by the manufacturers, while malware protection is about having the right anti-virus and anti-spam software.
Patrick Carolan, technical director, CRIBB Cyber Security, warned travel companies using legacy systems could be at much higher risk of attack.
He said: “Anyone using operating systems below Windows 7 or below is no longer supported by Microsoft, and is putting their company at serious risk. They will not be getting updates and the operating system will be easier to hack into.”
Byrne also warned companies not to rely on technology advice from friends and family. He said: “Smaller companies often take advice from a friend or family who knows a little about IT which leads to severe technology problems. Home IT and business IT are very different. Companies need to go to someone who really knows about technology and preferably technology specific to the travel sector.”
What are the benefits of a cybersecurity framework?
Ensuring a travel business has an approved cyber framework in place could protect it from law suits as well as reputational damage if it suffers a serious cyberattack.
CRIBB Cyber Security managing director Conor Byrne said a cyberattack can result in much more than compromising a business’ secure data by resulting in fines under GDPR and civil actions by employees as well as destroying a company’s reputation among consumers.
He warned company bosses could be prosecuted in cases of serious security breaches.
He said: “We are already seeing executives being prosecuted for the most serious breaches so they need to be aware of this and it should be fed down to employees from the top.
“When you have a breach you must now let your customers know about it, it puts your executives and your company’s reputation at risk, and there can be law suits from employees.”
Byrne also warned that longer term travel company partners such as suppliers and airlines as well as banks will only work with agents which meet security standards.
“Eventually the big guys will say no they can’t work with you until you have a minimal level of support in place,” he said.